Skip to main content


PASTA stands for The Process for Attack Simulation and Threat Analysis.

  1. Define business objectives
  • Whatโ€™s important to your business?
  1. Define the technical scope of assets and components
  • Identify the attack surface. Look at configuration, databases, middleware, third-party components, etc. Document all of it.
  1. Perform application decomposition
  • Understand the relationship between the various components
  • Understand use roles and permissions
  • Data flow diagrams
  1. Analyze threats
  2. Detect vulnerabilities
  • Identify issues by reviewing application architecture and by using scanning tools.
  1. Analyze and model attacks
  • Build attack trees: a diagram which shows how an asset can be targeted
  1. Analyze risks or impacts and develop countermeasures